Researcher hacked her own pacemaker to generate awareness on medical device security

In an attempt to raise awareness on security of medical device, Marie Moe, a security researcher and a hacker, has hacked her own pacemaker.

Register reports that four years ago, Moe got her pacemaker after she experienced a form of arrhythmia and her heart began to slow.

However, she got curious and looked up the pacemaker’s manual and found that the device she had inside her body had wireless capabilities.

So, with the help of Cambridge University industrial control hacker Eireann Leverett she decided to play around with the very machine that is keeping her alive.

Once a part of the Norway’s Computer Emergency Response Team, Moe established that the device had two wireless interfaces: one near field communications for hospital checkups, and the other for communications with a device beside the bed.

Making use of vulnerable SMS and 3G communications channels, the bedside unit sends her personal sensitive medical information to data telemetry stores at the doctor’s work station, says Leverett.

“Personally I am not worried about being remotely-assassinated, I am more worried about software bugs,” Moe told the Chaos Communications Congress in Hamburg, December.

“As a patient I am expected to trust that my device is working correctly and that every security bug has been corrected by the vendor, but I want to see more testing and research [because]we can’t always trust vendors.

“I found the programming device on eBay and I bought it and began research … and it actually contained other patient information.”

The communication hub she bought is readily available online, even though the pacemaker unit is expensive and difficult to acquire for non-patients.

“We had some pairing issues [with the hub], and Marie couldn’t be in the same room for certain types of testing,” Leverett added.

“As a precaution we will not do experiments involving radio frequencies with me in the room,” Moe toldThe Register this week.

Moe and Leverett discovered unnamed devices with high risk, some running Bluetooth, and others sending out dangerous device information to Amazon cloud instances. In that latter instance, a developer at a health monitroing company had posted to an Amazon support forum that the “life of our patients is at stake”.

They said they were keeping a watch on “hundreds” of cardiac patients at home and for the last 24 hours they could not see their electrocardiogram signals.

All ways of critical medical devices have been hacked, some from meters away using wireless technologies. Defibrillators have been turned off, insulin pumps forced to dump their contents, and thousands of hospital networks and databases and critical devices found open to hacking.

“We don’t want to hype the point [of fatal medical exploits]we want to show that hacking can say lives and that hackers are a global resource to save lives,” Leverett says.

In an effort to audit and improve security postures, Moe is among the few of security professionals who are hacking their own life-critical medical devices. Describing the efforts at Black Hat 2011, Researcher Jay Radcliffe has hacked his insulin pump, while free software advocate Karen Sandler has explored her cardiac defibrillator. Further, in an effort to gain access to his medical data, Hugo Campus will be continuing to play around with his defibrillator.

Software errors are not only security-related. In one instance, Moe had to debug her pacemaker after it provided the wrong number of beats that made her nearly collapsed after climbing the stairs at Covent Garden station.

A chain of physical tests disclosed that the pacemaker software was mis-configured